CVE-2020-11028

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33).

CVSS v3 7.5 HIGH
CVSS v2.0 4.3 MEDIUM

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html	Mailing List Third Party Advisory
https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates	Release Notes Vendor Advisory
https://www.debian.org/security/2020/dsa-4677	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

14 Sep 2021, 14:04

Type	Values Removed	Values Added
CPE		cpe:2.3:o:debian:debian_linux:8.0:::::::*
CWE	~~CWE-200~~	CWE-306
References	~~(MLIST) https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html -~~	(MLIST) https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html - Mailing List, Third Party Advisory

Information

Published : 2020-04-30 23:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-11028

Mitre link : CVE-2020-11028

CVE.ORG link : CVE-2020-11028

JSON object : View

Products Affected

wordpress

wordpress

debian

debian_linux

CWE

CWE-306

Missing Authentication for Critical Function

CWE-284

Improper Access Control

{"id": "CVE-2020-11028", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.3}]}, "published": "2020-04-30T23:15:11.683", "references": [{"url": "https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates", "tags": ["Release Notes", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.debian.org/security/2020/dsa-4677", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."}, {"lang": "es", "value": "En las versiones afectadas de WordPress, algunas publicaciones privadas, que anteriormente eran p\u00fablicas, pueden resultar en una divulgaci\u00f3n no autenticada bajo un conjunto espec\u00edfico de condiciones. Esto ha sido corregido en la versi\u00f3n 5.4.1, junto con todas las versiones afectadas anteriormente mediante una versi\u00f3n menor (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33)."}], "lastModified": "2021-09-14T14:04:08.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E79CBDF-EE25-487C-8276-74F4928ECDFF", "versionEndExcluding": "5.4.1"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}